Conditional-Access — CraftedSignal Threat Feed

Unauthorized Modification of Azure Conditional Access Policy

hello@craftedsignal.io — Wed, 29 May 2024 12:00:00 +0000

Compromised or malicious actors may attempt to modify Azure Conditional Access (CA) policies to weaken security controls, elevate privileges, or establish persistence within the Azure environment. Conditional Access policies are critical for enforcing organizational security standards, and unauthorized changes can have significant security implications. This activity is detected through Azure Audit Logs by monitoring for “Update conditional access policy” events. Defenders should investigate any modifications to Conditional Access policies to ensure they are legitimate and align with security best practices. Detecting and responding to unauthorized CA policy modifications is crucial for maintaining the integrity and security of the Azure environment.

Attack Chain

Initial Access: The attacker gains initial access through compromised credentials or other means (not specified in source).
Privilege Escalation: The attacker leverages existing privileges or exploits vulnerabilities to gain sufficient permissions to modify Conditional Access policies (e.g., through a compromised Global Administrator account).
Policy Enumeration: The attacker enumerates existing Conditional Access policies to identify targets for modification using tools like Azure PowerShell or the Azure portal.
Policy Modification: The attacker modifies a Conditional Access policy, for example, by weakening MFA requirements, excluding specific users or groups from the policy, or disabling the policy altogether.
Persistence: By weakening or disabling Conditional Access policies, the attacker establishes a persistent foothold in the environment, allowing them to bypass security controls and maintain unauthorized access.
Credential Access: With weakened MFA or other access controls, the attacker gains easier access to sensitive credentials.
Defense Impairment: The modification of CA policies impairs the organization’s defense mechanisms, making it easier for the attacker to perform malicious activities undetected.

Impact

Successful modification of Conditional Access policies can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. The number of affected users and resources depends on the scope of the modified policies. Organizations may experience data loss, financial losses, and reputational damage.

Recommendation

Deploy the “CA Policy Updated by Non Approved Actor” Sigma rule to your SIEM to detect unauthorized modifications to Conditional Access policies within your Azure environment.
Review the properties.message field in the Azure Audit Logs for “Update conditional access policy” events and compare “old” vs “new” values to understand the nature of the changes.
Implement strict role-based access control (RBAC) to limit the number of users who can modify Conditional Access policies.
Investigate any alerts generated by the Sigma rule and verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
Enable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise (related to attack.credential-access tag).

Unauthorized Removal of Azure Conditional Access Policy

hello@craftedsignal.io — Tue, 09 Jan 2024 15:00:00 +0000

The unauthorized removal of a Conditional Access (CA) policy in Azure Active Directory can significantly weaken an organization’s security posture. Conditional Access policies are critical for enforcing multi-factor authentication, device compliance, and other security controls based on user, location, device, and application conditions. When a non-approved actor removes such a policy, it can open the door for privilege escalation, credential access, and persistence by malicious actors. This activity is often performed after an initial compromise to disable security controls and move laterally within the environment. Identifying and responding to such removals promptly is essential to maintain a strong security posture.

Attack Chain

Initial Access: The attacker gains initial access to an account with sufficient privileges to view and modify Azure Active Directory settings. This could be through phishing, password spraying, or exploiting a vulnerability.
Privilege Escalation: The attacker escalates privileges within Azure AD to gain the necessary permissions to manage Conditional Access policies. This might involve adding themselves to a privileged role or exploiting misconfigurations in existing roles.
Discovery: The attacker enumerates existing Conditional Access policies to identify targets for removal. They may focus on policies that enforce MFA or restrict access based on location.
Defense Evasion: The attacker disables or modifies logging configurations to reduce the likelihood of detection.
Policy Removal: The attacker removes the targeted Conditional Access policy using the Azure portal, PowerShell, or the Azure CLI. The audit logs will record a “Delete conditional access policy” event.
Credential Access: With the CA policy removed, the attacker may attempt to access sensitive resources or applications without MFA, potentially gaining access to credentials or sensitive data.
Persistence: The attacker establishes persistence by creating new user accounts or modifying existing ones to maintain access even if their initial entry point is discovered.
Lateral Movement: The attacker leverages the compromised credentials and weakened security controls to move laterally to other systems and resources within the organization.

Impact

A successful removal of a Conditional Access policy can lead to widespread compromise. Attackers can bypass multi-factor authentication, gain unauthorized access to sensitive data, and escalate privileges within the organization. The impact can range from data breaches and financial losses to reputational damage and compliance violations. Depending on the scope of the compromised policy, the number of affected users could range from dozens to thousands.

Recommendation

Deploy the provided Sigma rule to detect the “Delete conditional access policy” event in Azure audit logs, indicating a CA policy removal.
Regularly review and audit Azure Active Directory role assignments to minimize the risk of unauthorized privilege escalation.
Implement multi-factor authentication for all user accounts, especially those with administrative privileges.
Monitor Azure audit logs for unusual activity, such as changes to user accounts, role assignments, and Conditional Access policies.
Investigate any detected instances of CA policy removal to determine the scope of the compromise and take appropriate remediation steps.
Review and harden Conditional Access policies to ensure they are effectively protecting critical resources and applications.

User Removed from Group with Conditional Access Policy Modification Access

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This activity involves the removal of a user from an Azure Active Directory (Azure AD) group that possesses the ability to modify Conditional Access (CA) policies. Conditional Access policies are critical for enforcing organizational security standards and access controls. The removal of users from these groups can be an attempt by a malicious actor to disrupt security measures, escalate privileges, or establish persistence within the Azure environment. An attacker with sufficient privileges may remove legitimate administrators from CA policy modification groups to bypass multi-factor authentication or other controls, potentially gaining unauthorized access to sensitive resources. This activity is of concern to defenders as it can be a precursor to more significant compromises.

Attack Chain

The attacker gains initial access to an Azure AD account with sufficient privileges, possibly through credential theft or account compromise.
The attacker enumerates Azure AD groups to identify those with permissions to manage or modify Conditional Access policies.
The attacker identifies a target user account that is a member of the identified privileged group.
The attacker uses Azure AD administrative tools or PowerShell cmdlets to remove the target user from the privileged group.
The Azure Audit Logs record the event “Remove member from group” related to the targeted group and user.
The attacker modifies Conditional Access policies to weaken security controls, such as disabling multi-factor authentication or allowing access from untrusted locations.
The attacker leverages the weakened security posture to gain unauthorized access to sensitive resources or data.
The attacker establishes persistence by creating new, attacker-controlled accounts with high privileges or by modifying existing accounts to bypass security controls.

Impact

Successful removal of a user from a Conditional Access policy modification group can lead to significant security breaches. Attackers can weaken or disable MFA requirements, bypass location-based restrictions, and gain unauthorized access to sensitive applications and data. This can result in data exfiltration, financial loss, and reputational damage. The scope of the impact depends on the permissions assigned through the compromised Conditional Access policies.

Recommendation

Deploy the Sigma rule “User Removed From Group With CA Policy Modification Access” to your SIEM to detect unauthorized removal of users from critical groups with CA modification access (logsource: azure, service: auditlogs).
Investigate any alerts generated by the Sigma rule, focusing on the context of the user removed and the target group (Sigma rule).
Implement multi-factor authentication (MFA) for all administrative accounts, including those with permissions to manage Conditional Access policies.
Review and audit Azure AD group memberships regularly, especially for groups with elevated privileges.
Monitor Azure AD audit logs for suspicious activity related to group membership changes and Conditional Access policy modifications (logsource: azure, service: auditlogs).

Unauthorized Conditional Access Policy Creation in Azure AD

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses the creation of a new Conditional Access (CA) policy within Azure Active Directory (Azure AD) by an actor not authorized to perform such actions. Conditional Access policies are critical security controls that enforce organizational policies based on various conditions, such as user identity, location, device, and application. Unauthorized modification or creation of these policies can lead to significant security breaches, allowing attackers to bypass security controls, escalate privileges, and gain unauthorized access to sensitive resources. This activity is detected via Azure Audit Logs.

Attack Chain

Initial Access: The attacker gains initial access to an account with sufficient privileges to interact with Azure AD, potentially through compromised credentials or an insider threat.
Privilege Escalation (If Needed): The attacker escalates privileges within Azure AD to a role that permits the creation or modification of Conditional Access policies.
Policy Creation: The attacker creates a new Conditional Access policy using the Azure portal, PowerShell, or Azure CLI.
Policy Configuration: The attacker configures the CA policy to weaken security controls, such as disabling MFA for specific users, locations, or applications.
Bypass Security Controls: The newly created or modified CA policy allows the attacker to bypass intended security controls, granting them unauthorized access.
Lateral Movement: With bypassed security controls, the attacker moves laterally within the network, accessing sensitive resources and data.
Data Exfiltration/Impact: The attacker achieves their final objective, such as exfiltrating sensitive data or causing disruption to business operations.

Impact

The creation of unauthorized Conditional Access policies can have severe consequences, including unauthorized access to sensitive data, privilege escalation, and circumvention of security controls. The impact can range from data breaches and financial loss to reputational damage and disruption of critical business services. If successful, attackers could gain complete control over the Azure AD environment, affecting all connected services and applications.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect unauthorized CA policy creation events in Azure Audit Logs.
Review Azure AD role assignments to ensure least privilege and restrict CA policy management to authorized personnel only.
Investigate any alerts generated by the Sigma rule to identify the actor and the details of the created CA policy.
Implement multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise.
Monitor Azure AD audit logs for other suspicious activities, such as changes to user accounts, group memberships, and application registrations.
Establish a baseline of expected CA policy configurations and alert on deviations from this baseline.